Securing your ISPConfig 3 managed mailserver with a valid Let's Encrypt SSL certificate

If you're running your own mailserver, it's best practice to connect to it securely with a SSL/TLS connection. You'll need a valid certificate for these secure connections. In this tutorial, we'll set up a Let's Encrypt certificate for our mailserver that renews automatically.

Warning: This tutorial is based on this tutorial: https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/#create-auto-renewal-script-for-your-ispconfig-pem-file-ispserverpem but modified so you have a separate certificate for your mailserver and control panel. If you have followed that tutorial before, this tutorial might break your setup.

Note for ISPConfig 3.2: ISPConfig 3.2 is able to create a valid Let's Encrypt SSL certificate for the server hostname automatically during installation, which is used for the mail server as well. There is no need to manually create a Let's Encrypt SSL certificate as described here on ISPConfig 3.2 systems unless you need different domain names in the SSL certificate beside the server hostname.

Prerequisites

  • Your server should be installed according to the Perfect Server tutorial for your OS.

Getting started

I will be using the following hostnames for my mailserver: mail.example.com, smtp.example.com, imap.example.com.

Replace all red underlined hostnames in this tutorial with your own.

Create the DNS records for your hostname(s), so they point to your server. These should be A (and eventually AAAA) records. Then, in the ISPConfig interface, go to the Sites tab.

Issuing the certificate

Under Sites, click "Add new website". Set mail.example.com as domain. Disable Auto-Subdomain, and check the Let's Encrypt checkbox.

After this you can add your other hostnames as alias domains, by going to the aliasdomain list and clicking "Add new aliasdomain". Select smtp.example.com as domain, and mail.example.com as parent website. Disable Auto-Subdomain and save the new record. Repeat this for eventual your other hostnames.

Verify that the certificate is in place. You can do this with a tool like https://www.sslshopper.com/ssl-checker.html

It should look something like this:

Screenshot of SSL check

If the hostname(s) are listed and there are no other errors, you can proceed. Otherwise, check the errors and resolve them before going further.

Replacing the certificate with the Let's Encrypt certificate

Now we can replace the current certificate with your trusted certificate. Log in to your server and run these commands:

(replace mail.example.com with the hostname you used for the website)

cd /etc/postfix/
mv smtpd.cert smtpd.cert-$(date +"%y%m%d%H%M%S").bak
mv smtpd.key smtpd.key-$(date +"%y%m%d%H%M%S").bak
ln -s /etc/letsencrypt/live/mail.example.com/fullchain.pem smtpd.cert
ln -s /etc/letsencrypt/live/mail.example.com/privkey.pem smtpd.key
systemctl restart postfix
systemctl restart dovecot

The certificate should now be used for your Postfix and Dovecot server. But we are not done yet! The Let's Encrypt certificate renews every 60 days, so we should automate the process of replacing the certificate in the future, so you can't forget about it.

Set up a automatic renewal script

Open a new script file:

nano /etc/init.d/le_mailserver_restart.sh

Paste this in that file (replace mail.example.com with the hostname you used):

#!/bin/sh
### BEGIN INIT INFO
# Provides: LE MAILSERVER CERT AUTO UPDATER
# Required-Start: $local_fs $network
# Required-Stop: $local_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: LE MAILSERVER CERT AUTO UPDATER
# Description: Restart mail server automatically when a new Let's Encrypt certificate is issued.
### END INIT INFO
systemctl restart postfix
systemctl restart dovecot

To automatically trigger this script on renewal, we are going to install and set up incron.

apt install incron

Make the script executable and allow root to use incron:

chmod +x /etc/init.d/le_mailserver_restart.sh
echo "root" >> /etc/incron.allow

Now open the incrontab editor:

incrontab -e

Add this (again, replace mail.example.com with the hostname you used) to the file:

/etc/letsencrypt/archive/mail.example.com/ IN_MODIFY /etc/init.d/le_mailserver_restart.sh
A big thanks to forum user Ahrasis for the original code and tutorial.

Not working?

I once had a problem with this, because Let's Encrypt used one of the alias domains as main domain. You can find the main domain in the earlier mentioned SSL tool as "Common name" or by listing the content of /etc/letsencrypt/live to see which of the (alias)domains has a folder there.

If you still experience a problem, open a thread on the forum so others can help you out.

Share this page:

Suggested articles

0 Comment(s)

Add comment